2018-04-09 - GRANDSOFT EK SENDS ZEUS PANDA BANKER

ASSOCIATED FILES:

  • 2018-04-09-Grandsoft-EK-sends-Zeus-Panda-Banker.pcap   845 kB (845,141 bytes)
  • Zip archive of the malware & artifacts:  2018-04-09-Grandsoft-EK-malware-and-artifacts.zip   275 kB (275,030 bytes)
    • 2018-04-09-Grandsoft-EK-part-1-landing-page.txt   0.5 kB (530 bytes)
    • 2018-04-09-Grandsoft-EK-part-2.txt   12.7 kB (12,685 bytes)
    • 2018-04-09-Grandsoft-EK-part-3-dwie.hta.txt   8.0 kB (8,002 bytes)
    • 2018-04-09-Grandsoft-EK-part-4-malware-payload-Zeus-Panda-Banker.exe   290 kB (290,304 bytes)

    NOTES:


    Shown above:  Grandsoft doesn't seem to be a very "hard" exploit kit.

     

    WEB TRAFFIC BLOCK LIST

    Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains:

     

    TRAFFIC


    Shown above:  Infection traffic filtered in Wireshark.

     


    Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

     

    TRAFFIC LEADING TO GRANDSOFT EK:

    GRANDSOFT EK:

    POST-INFECTION TRAFFIC FROM ZEUS PANDA BANKER:

     

    FILE HASHES

    MALWARE PAYLOAD - ZEUS PANDA BANKER:


    Shown above:  Zeus Panda Banker made persistent on an infected Windows host.

     

    FINAL NOTES

    Once again, here are the associated files:

    Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.